Сравнение версий

Старая версия 60

changes.mady.by.user Сервисный центр Ethernet

Сохранено

по сравнению с

Новая версия 61

changes.mady.by.user Сервисный центр Ethernet

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.
Комментарий: Оксененко С. Добавил пример настройки DMPVN в cluster

...

После успешной настройки кластера можно приступать к конфигурации сервисов.

Настройка WLC

gegege

Настройка System prompt

System prompt позволяет отобразить оперативное состояние кластера непосредственно в строке приглашения CLI устройства, что упрощает получение актуальной информации.

...

Пример настройки DMVPN Single Hub (cluster) Dual Cloud схемы

Задача:

Организовать DMVPN между офисами компании, используя mGRE-туннели, NHRP (Next Hop Resolution Protocol), протокол динамической маршрутизации (BGP), IPsec. В данном примере будет HUB-маршрутизатор и два филиала. HUB – это DMVPN-cервер (NHS), а филиалы – DMPVN-клиенты (NHC).

...

Произведём настройку протокола динамической маршрутизации для SPOKE-1. В примере это будет eBGP, для которого необходимо явно разрешить анонсирование подсетей. Так как в примере используется два CLOUD, необходимо сделать один из них более приоритетным, используя route-mapАнонсируем LAN подсети в сторону HUB используя network в address-family.

Для ускорения переключения в случае выхода из строя Active устройства в кластере включим также bfd для BGP, а также уменьшим таймер error-wait.

Блок кода
HUBSPOKE-1(config)# route-map DMVPN_BGP_OUT_CLOUD_ONE
HUBSPOKE-1(config-route-map)# rule 1
HUBSPOKE-1(config-route-map-rule)# match ip address 0.0.0.0/0
HUBexit
SPOKE-1(config-route-map-rule)# exit
SPOKE-1(config)# action set metricrouter bgp 100064501
HUBSPOKE-1(config-route-map-rulebgp)# exit
HUB timers error-wait 5 10
SPOKE-1(config-route-mapbgp)# exit
HUBneighbor 203.0.113.1
SPOKE-1(config-bgp-neighbor)# routeremote-map DMVPN_BGP_OUT_CLOUD_TWO
HUBas 64500
SPOKE-1(config-routebgp-mapneighbor)# rule 1
HUBallow-local-as 10
SPOKE-1(config-routebgp-map-ruleneighbor)# match ip address 0update-source 203.0.0113.0/02
HUBSPOKE-1(config-routebgp-map-ruleneighbor)# action set metric bgp 2000
HUBfall-over bfd
SPOKE-1(config-routebgp-map-ruleneighbor)# exit
HUB address-family ipv4 unicast
SPOKE-1(config-bgp-routeneighbor-mapaf)# exit
HUB-route-map DMVPN_BGP_OUT out
SPOKE-1(config-bgp-neighbor-af)# router bgp 64500
HUBenable
SPOKE-1(config-bgp-neighbor-af)# exit
SPOKE-1(config-bgp-neighbor)# default-information-originate
HUBenable
SPOKE-1(config-bgp-neighbor)# exit
SPOKE-1(config-bgp)# timers error-wait 5 10
HUBneighbor 203.0.113.129
SPOKE-1(config-bgp-neighbor)# peerremote-group DMVPN_CLOUD_ONE
HUBas 64500
SPOKE-1(config-bgp-groupneighbor)# remoteallow-local-as 6450110
HUBSPOKE-1(config-bgp-groupneighbor)# update-source 203.0.113.1130
HUBSPOKE-1(config-bgp-groupneighbor)# fall-over bfd
HUBSPOKE-1(config-bgp-groupneighbor)# address-family ipv4 unicast
HUBSPOKE-1(config-bgp-groupneighbor-af)# route-map DMVPN_BGP_OUT_CLOUD_ONE out
HUBSPOKE-1(config-bgp-groupneighbor-af)# next-hop-self
HUBenable
SPOKE-1(config-bgp-groupneighbor-af)# enableexit
HUBSPOKE-1(config-bgp-group-afneighbor)# exitenable
HUBSPOKE-1(config-bgp-groupneighbor)# exit
HUBSPOKE-1(config-bgp)# peeraddress-group DMVPN_CLOUD_TWO
HUBfamily ipv4 unicast
SPOKE-1(config-bgp-groupaf)# remote-as 64501
HUBnetwork 128.66.1.0/24
SPOKE-1(config-bgp-groupaf)# update-source 203.0.113.129
HUBexit
SPOKE-1(config-bgp-group)# fall-over bfd
HUBenable
SPOKE-1(config-bgp-group)# address-family ipv4 unicast
HUBexit

Произведём настройку IPsec для SPOKE-1, для начала настроим ike proposal, ike policy и ike gateway. В ike gateway дополнительно настроим dpd, для ускорения перестроения туннелей в случае если выйдет из строя Active устройство:

Блок кода
SPOKE-1(config-bgp-group-af)# route-map DMVPN_BGP_OUT_CLOUD_TWO out
HUB security ike proposal ike_proposal
SPOKE-1(config-bgpike-group-afproposal)# next-hop-self
HUBauthentication algorithm sha2-256
SPOKE-1(config-bgpike-group-afproposal)# enable
HUBencryption algorithm aes256
SPOKE-1(config-bgpike-group-afproposal)# exit
HUBdh-group 19
SPOKE-1(config-bgpike-groupproposal)# exit
HUBSPOKE-1(config-bgp)# listen-range 203.0.113.0/25
HUB security ike policy ike_policy
SPOKE-1(config-bgpike-listenpolicy)# peer-group DMVPN_CLOUD_ONE
HUBpre-shared-key ascii-text encrypted 8CB5107EA7005AFF
SPOKE-1(config-bgpike-listenpolicy)# enable
HUBproposal ike_proposal
SPOKE-1(config-bgpike-listenpolicy)# exit
HUBSPOKE-1(config-bgp)# listen-range 203.0.113.128/25
HUB security ike gateway ike_gateway_cloud_one
SPOKE-1(config-bgpike-listengw)# peer-group DMVPN_CLOUD_TWO
HUBversion v2-only
SPOKE-1(config-bgpike-listengw)# enable
HUBike-policy ike_policy
SPOKE-1(config-bgpike-listengw)# exit
HUB local address 198.51.100.10
SPOKE-1(config-ike-bgpgw)# address-family ipv4 unicast
HUB local network 198.51.100.10/32 protocol gre 
SPOKE-1(config-bgpike-afgw)# redistribute static
HUBremote address 198.51.100.2
SPOKE-1(config-bgpike-afgw)# exit
HUB remote network 198.51.100.2/32 protocol gre 
SPOKE-1(config-bgpike-gw)# mode enablepolicy-based
HUBSPOKE-1(config-bgp)# exit

...

ike

...

Блок кода
HUB-1(config-gw)# security ike proposal ike_proposal
HUBmobike disable
SPOKE-1(config-ike-proposalgw)# authentication algorithm sha2-256
HUBdead-peer-detection action clear
SPOKE-1(config-ike-proposalgw)# encryption algorithm aes256
HUB-1(config-ike-proposal)# dh-group 19
HUBdead-peer-detection interval 3
SPOKE-1(config-ike-proposalgw)# exit
HUB-1(config)# 
HUB-1(config)# security ike policy ike_policy
HUBdead-peer-detection retransmit timeout 1
SPOKE-1(config-ike-policygw)# predead-sharedpeer-keydetection ascii-textretransmit encryptedtries 8CB5107EA7005AFF2
HUBSPOKE-1(config-ike-policygw)# proposal ike_proposal
HUB-1(config-ike-policy)# exit
HUBSPOKE-1(config)# security ike gateway ike_gateway_cloud_onetwo
HUBSPOKE-1(config-ike-gw)# version v2-only
HUBSPOKE-1(config-ike-gw)# ike-policy ike_policy
HUBSPOKE-1(config-ike-gw)# local address 198.51.100.210
HUBSPOKE-1(config-ike-gw)# local network 198.51.100.210/32 protocol gre 
HUBSPOKE-1(config-ike-gw)# remote address any
HUB198.51.100.6
SPOKE-1(config-ike-gw)# remote network any198.51.100.6/32 protocol gre 
HUBSPOKE-1(config-ike-gw)# mode policy-based
HUBSPOKE-1(config-ike-gw)# mobike disable
HUBSPOKE-1(config-ike-gw)# dead-peer-detection action clear
HUBSPOKE-1(config-ike-gw)# dead-peer-detection interval 3
HUBSPOKE-1(config-ike-gw)# dead-peer-detection retransmit timeout 1
HUBSPOKE-1(config-ike-gw)# dead-peer-detection retransmit tries 2
HUBSPOKE-1(config-ike-gw)# exit
HUBSPOKE-1(config)# security ike gateway ike_gateway_cloudto_twospokes
HUBSPOKE-1(config-ike-gw)# version v2-only
HUBSPOKE-1(config-ike-gw)# ike-policy ike_policy
HUBSPOKE-1(config-ike-gw)# local address 198.51.100.610
HUBSPOKE-1(config-ike-gw)# local network 198.51.100.610/32 protocol gre 
HUBSPOKE-1(config-ike-gw)# remote id any
SPOKE-1(config-ike-gw)# remote address any
HUBSPOKE-1(config-ike-gw)# remote network any protocol gre 
HUBSPOKE-1(config-ike-gw)# mode policy-based
HUBSPOKE-1(config-ike-gw)# mobike disable
HUBSPOKE-1(config-ike-gw)# dead-peer-detection action clear
HUBSPOKE-1(config-ike-gw)# dead-peer-detection interval 3
HUBSPOKE-1(config-ike-gw)# dead-peer-detection retransmit timeout 1
HUBSPOKE-1(config-ike-gw)# dead-peer-detection retransmit tries 2
HUBSPOKE-1(config-ike-gw)# exit
HUB-1(config)# 
HUB-1(config)# security ike session uniqueids replace

Затем настроим IPsec proposal, IPsec policy и IPsec Затем настроим IPsec proposal, IPsec policy и IPsec vpn туннели через каждый CLOUD:

Блок кода
HUBSPOKE-1(config)# security ipsec proposal ipsec_proposal
HUBSPOKE-1(config-ipsec-proposal)# authentication algorithm sha2-256
HUBSPOKE-1(config-ipsec-proposal)# encryption algorithm aes256
HUBSPOKE-1(config-ipsec-proposal)# pfs dh-group 19
HUBSPOKE-1(config-ipsec-proposal)# exit
HUB
SPOKE-1(config)# security ipsec policy ipsec_policy
SPOKE-1(config-ipsec-policy)# proposal ipsec_proposal
SPOKE-1(config-ipsec-policy)# exit
HUBSPOKE-1(config)# security ipsec policyvpn ipsec_policy
HUB_dynamic_to_spoke
SPOKE-1(config-ipsec-vpn)# type transport
SPOKE-1(config-ipsec-policyvpn)# proposal ipsec_proposal
HUBike establish-tunnel route
SPOKE-1(config-ipsec-vpn)# ike gateway ike_gateway_to_spokes
SPOKE-1(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
SPOKE-1(config-ipsec-vpn)# exitenable
HUBSPOKE-1(config-ipsec-vpn)# exit
HUBSPOKE-1(config)# security ipsec vpn ipsec_dynamicstatic_cloud_one
HUBSPOKE-1(config-ipsec-vpn)# type transport
HUBSPOKE-1(config-ipsec-vpn)# ike establish-tunnel route
HUBSPOKE-1(config-ipsec-vpn)# ike gateway ike_gateway_cloud_one
HUBSPOKE-1(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
HUBSPOKE-1(config-ipsec-vpn)# enable
HUBSPOKE-1(config-ipsec-vpn)# exit
HUBSPOKE-1(config)# security ipsec vpn ipsec_dynamicstatic_cloud_two
HUBSPOKE-1(config-ipsec-vpn)# type transport
HUBSPOKE-1(config-ipsec-vpn)# ike establish-tunnel route
HUBSPOKE-1(config-ipsec-vpn)# ike gateway ike_gateway_cloud_two
HUBSPOKE-1(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
HUBSPOKE-1(config-ipsec-vpn)# enable
HUBSPOKE-1(config-ipsec-vpn)# exit

Scroll Pagebreak

Подкорректируем правила зоны безопасности WAN WAN необходимо разрешить протоколы для GRE over IPSec-туннеля.

Блок кода
HUBSPOKE-1(config)# object-group service ISAKMP_PORT
HUBSPOKE-1(config-object-group-service)# port-range 500
HUBSPOKE-1(config-object-group-service)# port-range 4500
HUBSPOKE-1(config-object-group-service)# exit
HUBSPOKE-1(config)#  security zone-pair WAN self  
HUBSPOKE-1(config-security-zone-pair)# rule 31
HUBSPOKE-1(config-security-zone-pair-rule)# action permit 
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol udp 
HUBSPOKE-1(config-security-zone-pair-rule)# match destination-port object-group ISAKMP_PORT 
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 42
HUBSPOKE-1(config-security-zone-pair-rule)# action permit 
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol esp 
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 53
HUBSPOKE-1(config-security-zone-pair-rule)# action permit 
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol gre 
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit

Настроим правила зон безопасности DMVPN_C_ONE и DMVPN_C_TWO, разрешим прохождение трафика для протоколов BGP, BFD, ICMP.

Блок кода
HUBSPOKE-1(config)# object-group service BGP
HUBSPOKE-1(config-object-group-service)# port-range 179
HUBSPOKE-1(config-object-group-service)# exit
HUBSPOKE-1(config)# object-group service BFD
HUBSPOKE-1(config-object-group-service)# port-range 3784
HUBSPOKE-1(config-object-group-service)# exit
HUBSPOKE-1(config)# security zone-pair DMVPN_C_ONE self
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol icmp
HUBSPOKE-1(config-security-zone-pair-rule)# enable
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 2
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol tcp
HUBSPOKE-1(config-security-zone-pair-rule)# match destination-port object-group BGP 
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 3
HUBSPOKE-1(config-security-zone-pair-rule)# action permit 
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol udp 
HUBSPOKE-1(config-security-zone-pair-rule)# match destination-port object-group BFD 
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit
HUBSPOKE-1(config)# security zone-pair DMVPN_C_TWO self
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol icmp
HUBSPOKE-1(config-security-zone-pair-rule)# enable
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 2
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol tcp
HUBSPOKE-1(config-security-zone-pair-rule)# match destination-port object-group BGP
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# rule 3
HUBSPOKE-1(config-security-zone-pair-rule)# action permit 
HUBSPOKE-1(config-security-zone-pair-rule)# match protocol udp
HUBSPOKE-1(config-security-zone-pair-rule)# match destination-port object-group BFD
HUBSPOKE-1(config-security-zone-pair-rule)# enable 
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit

Подкорректируем правила зоны безопасности LAN, разрешим прохождение трафика между зонами LAN и DMVPN_C_ONE/DMVPN_C_TWO.

Блок кода
HUBSPOKE-1(config)# security zone-pair LAN DMVPN_C_ONE
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# enable
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit
HUBSPOKE-1(config)# security zone-pair LAN DMVPN_C_TWO
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# enable
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit
HUBSPOKE-1(config)# security zone-pair DMVPN_C_ONE LAN
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUB
SPOKE-1(config-security-zone-pair-rule)# match protocol icmp
SPOKE-1(config-security-zone-pair-rule)# enable
HUBSPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit
HUBSPOKE-1(config)# security zone-pair DMVPN_C_TWO LAN
HUBSPOKE-1(config-security-zone-pair)# rule 1
HUBSPOKE-1(config-security-zone-pair-rule)# action permit
HUBSPOKE-1(config-security-zone-pair-rule)# enable
HUBmatch protocol icmp
SPOKE-1(config-security-zone-pair-rule)# enable
SPOKE-1(config-security-zone-pair-rule)# exit
HUBSPOKE-1(config-security-zone-pair)# exit
  • Конфигурирование SPOKE-2

Создадим туннели mGRE, каждый через свой CLOUD, определим принадлежность к зоне безопасности, настроим NHRP и включим туннель и NHRP командой enableСоздадим route-map, который будет использоваться в дальнейшем при настройке разрешающих анонсов роутерам из другой AS. В route-map запретим анонсировать подсеть для cluster-interface:

Блок кода
ESRSPOKE-12(config)# route-map bgp-out
ESR-1security zone DMVPN_C_TWO
SPOKE-2(config-routesecurity-mapzone)# rule 1exit
ESRSPOKE-12(config-route-map-rule)# matchsecurity ip address 198.51.100.0/24
ESR-1zone DMVPN_C_ONE
SPOKE-2(config-routesecurity-map-rulezone)# action denyexit
ESRSPOKE-12(config-route-map-rule)# tunnel exitgre 1
ESRSPOKE-12(config-route-mapgre)# rulekey 21000
ESRSPOKE-12(config-route-map-rulegre)# actionttl permit64
ESRSPOKE-12(config-route-map-rulegre)# exitmtu 1400
ESRSPOKE-12(config-route-map)# exit

Создадим BGP процесс для AS 2500 и войдем в режим конфигурирования параметров процесса:

Блок кода
ESR-1(config)# router bgp 2500

Сконфигурируем анонсирование подсетей, подключенных напрямую:

Блок кода
ESR-1(config-bgp)# address-family ipv4 unicast 
ESR-1(config-bgp-af)# redistribute connected 
ESR-1(config-bgp-af)# exit

Создадим eBGP с вышестоящим роутером:

Блок кода
ESR-1(config-bgp)# neighborgre)# multipoint
SPOKE-2(config-gre)# security-zone DMVPN_C_ONE
SPOKE-2(config-gre)# local address 198.51.100.14
SPOKE-2(config-gre)# ip address 203.0.113.3/25
SPOKE-2(config-gre)# ip tcp adjust-mss 1360
SPOKE-2(config-gre)# ip nhrp holding-time 60
SPOKE-2(config-gre)# ip nhrp shortcut
SPOKE-2(config-gre)# ip nhrp map 203.0.113.1 198.51.100.2
ESRSPOKE-12(config-bgp-neighborgre)# remote-as 3000
ESR-1(config-bgp-neighbor)# update-sourceip nhrp nhs 203.0.113.1

И включим обмен IPv4-маршрутами:

Блок кода
ESR-1
SPOKE-2(config-bgp-neighborgre)# ip address-familynhrp ipv4multicast unicastnhs
ESRSPOKE-12(config-bgp-neighbor-afgre)# route-map bgp-out out
ESR-1ip nhrp enable
SPOKE-2(config-bgp-neighbor-afgre)# enable
ESRSPOKE-12(config-bgp-neighbor-afgre)# exit

Включим работу протокола:

Блок кода
ESR-1(config-bgp-neighbor)# enable
ESR-1(config-bgp-neighbor)# exit
ESR-1(config-bgp)# enable
ESR-1(config-bgp)# exit

Применим конфигурацию на Active устройстве.

Информацию о BGP-пирах можно посмотреть командой show bgp neighbors:

Блок кода
ESR-1# show bgp neighbors 
BGP neighbor is
SPOKE-2(config)# tunnel gre 2
SPOKE-2(config-gre)# key 2000
SPOKE-2(config-gre)# ttl 64
SPOKE-2(config-gre)# mtu 1400
SPOKE-2(config-gre)# multipoint
SPOKE-2(config-gre)# security-zone DMVPN_C_TWO
SPOKE-2(config-gre)# local address 198.51.100.14
SPOKE-2(config-gre)# ip address 203.0.113.131/25
SPOKE-2(config-gre)# ip tcp adjust-mss 1360
SPOKE-2(config-gre)# ip nhrp holding-time 60
SPOKE-2(config-gre)# ip nhrp shortcut
SPOKE-2(config-gre)# ip nhrp map 203.0.113.129 198.51.100.6
SPOKE-2(config-gre)# ip nhrp nhs 203.0.113.129
SPOKE-2(config-gre)# ip nhrp multicast nhs
SPOKE-2(config-gre)# ip nhrp enable
SPOKE-2(config-gre)# enable
SPOKE-2(config-gre)# exit

Произведём настройку протокола динамической маршрутизации для SPOKE-1. В примере это будет eBGP, для которого необходимо явно разрешить анонсирование подсетей. Анонсируем LAN подсети в сторону HUB используя network в address-family.

Для ускорения переключения в случае выхода из строя Active устройства в кластере включим также bfd для BGP, а также уменьшим таймер error-wait.

Блок кода
SPOKE-2(config)# route-map DMVPN_BGP_OUT
SPOKE-2(config-route-map)# rule 1
SPOKE-2(config-route-map-rule)# exit
SPOKE-2(config-route-map)# exit
SPOKE-2(config)# router bgp 64501
SPOKE-2(config-bgp)# timers error-wait 5 10
SPOKE-2(config-bgp)# neighbor 203.0.113.1
SPOKE-2(config-bgp-neighbor)# remote-as 64500
SPOKE-2(config-bgp-neighbor)# allow-local-as 10
SPOKE-2(config-bgp-neighbor)# update-source 203.0.113.3
SPOKE-2(config-bgp-neighbor)# fall-over bfd
SPOKE-2(config-bgp-neighbor)# address-family ipv4 unicast
SPOKE-2(config-bgp-neighbor-af)# route-map DMVPN_BGP_OUT out
SPOKE-2(config-bgp-neighbor-af)# enable
SPOKE-2(config-bgp-neighbor-af)# exit
SPOKE-2(config-bgp-neighbor)# enable
SPOKE-2(config-bgp-neighbor)# exit
SPOKE-2(config-bgp)# neighbor 203.0.113.129
SPOKE-2(config-bgp-neighbor)# remote-as 64500
SPOKE-2(config-bgp-neighbor)# allow-local-as 10
SPOKE-2(config-bgp-neighbor)# update-source 203.0.113.131
SPOKE-2(config-bgp-neighbor)# fall-over bfd
SPOKE-2(config-bgp-neighbor)# address-family ipv4 unicast
SPOKE-2(config-bgp-neighbor-af)# route-map DMVPN_BGP_OUT out
SPOKE-2(config-bgp-neighbor-af)# enable
SPOKE-2(config-bgp-neighbor-af)# exit
SPOKE-2(config-bgp-neighbor)# enable
SPOKE-2(config-bgp-neighbor)# exit
SPOKE-2(config-bgp)# address-family ipv4 unicast
SPOKE-2(config-bgp-af)# network 128.66.2.0/24
SPOKE-2(config-bgp-af)# exit
SPOKE-2(config-bgp)# enable
SPOKE-2(config-bgp)# exit

Произведём настройку IPsec для SPOKE-1, для начала настроим ike proposal, ike policy и ike gateway. В ike gateway дополнительно настроим dpd, для ускорения перестроения туннелей в случае если выйдет из строя Active устройство:

Блок кода
SPOKE-2(config)# security ike proposal ike_proposal
SPOKE-2(config-ike-proposal)# authentication algorithm sha2-256
SPOKE-2(config-ike-proposal)# encryption algorithm aes256
SPOKE-2(config-ike-proposal)# dh-group 19
SPOKE-2(config-ike-proposal)# exit
SPOKE-2(config)# security ike policy ike_policy
SPOKE-2(config-ike-policy)# pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
SPOKE-2(config-ike-policy)# proposal ike_proposal
SPOKE-2(config-ike-policy)# exit
SPOKE-2(config)# security ike gateway ike_gateway_cloud_one
SPOKE-2(config-ike-gw)# version v2-only
SPOKE-2(config-ike-gw)# ike-policy ike_policy
SPOKE-2(config-ike-gw)# local address 198.51.100.14
SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre 
SPOKE-2(config-ike-gw)# remote address 198.51.100.2
SPOKE-2(config-ike-gw)# remote network 198.51.100.2/32 protocol gre 
SPOKE-2(config-ike-gw)# mode policy-based
SPOKE-2(config-ike-gw)# mobike disable
SPOKE-2(config-ike-gw)# dead-peer-detection action clear
SPOKE-2(config-ike-gw)# dead-peer-detection interval 3
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 1
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2
SPOKE-2(config-ike-gw)# exit
SPOKE-2(config)# security ike gateway ike_gateway_cloud_two
SPOKE-2(config-ike-gw)# version v2-only
SPOKE-2(config-ike-gw)# ike-policy ike_policy
SPOKE-2(config-ike-gw)# local address 198.51.100.14
SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre 
SPOKE-2(config-ike-gw)# remote address 198.51.100.6
SPOKE-2(config-ike-gw)# remote network 198.51.100.6/32 protocol gre 
SPOKE-2(config-ike-gw)# mode policy-based
SPOKE-2(config-ike-gw)# mobike disable
SPOKE-2(config-ike-gw)# dead-peer-detection action clear
SPOKE-2(config-ike-gw)# dead-peer-detection interval 3
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 1
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2
SPOKE-2(config-ike-gw)# exit
SPOKE-2(config)# security ike gateway ike_gateway_to_spokes
SPOKE-2(config-ike-gw)# version v2-only
SPOKE-2(config-ike-gw)# ike-policy ike_policy
SPOKE-2(config-ike-gw)# local address 198.51.100.14
SPOKE-2(config-ike-gw)# local network 198.51.100.14/32 protocol gre 
SPOKE-2(config-ike-gw)# remote id any
SPOKE-2(config-ike-gw)# remote address any
SPOKE-2(config-ike-gw)# remote network any protocol gre 
SPOKE-2(config-ike-gw)# mode policy-based
SPOKE-2(config-ike-gw)# mobike disable
SPOKE-2(config-ike-gw)# dead-peer-detection action clear
SPOKE-2(config-ike-gw)# dead-peer-detection interval 3
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit timeout 1
SPOKE-2(config-ike-gw)# dead-peer-detection retransmit tries 2
SPOKE-2(config-ike-gw)# exit

Затем настроим IPsec proposal, IPsec policy и IPsec vpn туннели через каждый CLOUD:

Блок кода
SPOKE-2(config)# security ipsec proposal ipsec_proposal
SPOKE-2(config-ipsec-proposal)# authentication algorithm sha2-256
SPOKE-2(config-ipsec-proposal)# encryption algorithm aes256
SPOKE-2(config-ipsec-proposal)# pfs dh-group 19
SPOKE-2(config-ipsec-proposal)# exit
SPOKE-2(config)# security ipsec policy ipsec_policy
SPOKE-2(config-ipsec-policy)# proposal ipsec_proposal
SPOKE-2(config-ipsec-policy)# exit
SPOKE-2(config)# security ipsec vpn ipsec_dynamic_to_spoke
SPOKE-2(config-ipsec-vpn)# type transport
SPOKE-2(config-ipsec-vpn)# ike establish-tunnel route
SPOKE-2(config-ipsec-vpn)# ike gateway ike_gateway_to_spokes
SPOKE-2(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
SPOKE-2(config-ipsec-vpn)# enable
SPOKE-2(config-ipsec-vpn)# exit
SPOKE-2(config)# security ipsec vpn ipsec_static_cloud_one
SPOKE-2(config-ipsec-vpn)# type transport
SPOKE-2(config-ipsec-vpn)# ike establish-tunnel route
SPOKE-2(config-ipsec-vpn)# ike gateway ike_gateway_cloud_one
SPOKE-2(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
SPOKE-2(config-ipsec-vpn)# enable
SPOKE-2(config-ipsec-vpn)# exit
SPOKE-2(config)# security ipsec vpn ipsec_static_cloud_two
SPOKE-2(config-ipsec-vpn)# type transport
SPOKE-2(config-ipsec-vpn)# ike establish-tunnel route
SPOKE-2(config-ipsec-vpn)# ike gateway ike_gateway_cloud_two
SPOKE-2(config-ipsec-vpn)# ike ipsec-policy ipsec_policy
SPOKE-2(config-ipsec-vpn)# enable
SPOKE-2(config-ipsec-vpn)# exit

Подкорректируем правила зоны безопасности WAN необходимо разрешить протоколы для GRE over IPSec-туннеля.

Блок кода
SPOKE-2(config)# object-group service ISAKMP_PORT
SPOKE-2(config-object-group-service)# port-range 500
SPOKE-2(config-object-group-service)# port-range 4500
SPOKE-2(config-object-group-service)# exit
SPOKE-2(config)#  security zone-pair WAN self  
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit 
SPOKE-2(config-security-zone-pair-rule)# match protocol udp 
SPOKE-2(config-security-zone-pair-rule)# match destination-port object-group ISAKMP_PORT 
SPOKE-2(config-security-zone-pair-rule)# enable 
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 2
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol esp
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 3
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol gre
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit

Настроим правила зон безопасности DMVPN_C_ONE и DMVPN_C_TWO, разрешим прохождение трафика для протоколов BGP, BFD, ICMP.

Блок кода
SPOKE-2(config)# object-group service BGP
SPOKE-2(config-object-group-service)# port-range 179
SPOKE-2(config-object-group-service)# exit
SPOKE-2(config)# object-group service BFD
SPOKE-2(config-object-group-service)# port-range 3784
SPOKE-2(config-object-group-service)# exit
SPOKE-2(config)# security zone-pair DMVPN_C_ONE self
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol icmp
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 2
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol tcp
SPOKE-2(config-security-zone-pair-rule)# match destination-port object-group BGP
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 3
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol udp
SPOKE-2(config-security-zone-pair-rule)# match destination-port object-group BFD
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit
SPOKE-2(config)# security zone-pair DMVPN_C_TWO self
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol icmp
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 2
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol tcp
SPOKE-2(config-security-zone-pair-rule)# match destination-port object-group BGP
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# rule 3
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol udp
SPOKE-2(config-security-zone-pair-rule)# match destination-port object-group BFD
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit

Подкорректируем правила зоны безопасности LAN, разрешим прохождение трафика между зонами LAN и DMVPN_C_ONE/DMVPN_C_TWO.

Блок кода
SPOKE-2(config)# security zone-pair LAN DMVPN_C_ONE
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit
SPOKE-2(config)# security zone-pair LAN DMVPN_C_TWO
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit
SPOKE-2(config)# security zone-pair DMVPN_C_ONE LAN
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol icmp
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit
SPOKE-2(config)# security zone-pair DMVPN_C_TWO LAN
SPOKE-2(config-security-zone-pair)# rule 1
SPOKE-2(config-security-zone-pair-rule)# action permit
SPOKE-2(config-security-zone-pair-rule)# match protocol icmp
SPOKE-2(config-security-zone-pair-rule)# enable
SPOKE-2(config-security-zone-pair-rule)# exit
SPOKE-2(config-security-zone-pair)# exit
Проверка работы:

Состояние IPsec-туннелей можно посмотреть командой:

Блок кода
HUB-1# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
ipsec_dynamic_cloud_one           198.51.100.2      198.51.100.14     0x22d11891e06edf92   0x40469d552e93e47c   Established   
ipsec_dynamic_cloud_two           198.51.100.6      198.51.100.14     0x61f7a205eeef5d06   0x141239e7309d351c   Established   
ipsec_dynamic_cloud_one           198.51.100.2      198.51.100.10     0x3dbf984518584d5e   0x08563e2683776071   Established   
ipsec_dynamic_cloud_two           198.51.100.6      198.51.100.10     0x500adbe8428c7d35   0x9c83c7a2255cb0ed   Established
Блок кода
SPOKE-1# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
ipsec_static_cloud_one            198.51.100.10     198.51.100.2      0x3dbf984518584d5e   0x08563e2683776071   Established   
ipsec_static_cloud_two            198.51.100.10     198.51.100.6      0x500adbe8428c7d35   0x9c83c7a2255cb0ed   Established     
Блок кода
SPOKE-2# show security ipsec vpn status 
Name                              Local host        Remote host       Initiator spi        Responder spi        State         
-------------------------------   ---------------   ---------------   ------------------   ------------------   -----------   
ipsec_static_cloud_one            198.51.100.14     198.51.100.2      0x22d11891e06edf92   0x40469d552e93e47c   Established   
ipsec_static_cloud_two            198.51.100.14     198.51.100.6      0x61f7a205eeef5d06   0x141239e7309d351c   Established

Состояние NHRP-записей можно посмотреть командой:

Блок кода
HUB-1# show ip nhrp peers 
 Flags: E - unique, R - nhs, U - used, L - lower-up
        C - connected, G - group, Q - qos, N - nat
        P - protected, I - Redirect-ignored, X - undefined

Tunnel address         NBMA address       Tunnel      Expire      Created          Type              Flags        
                                                      (h:m:s)     (d,h:m:s)                                       
--------------------   ----------------   ---------   ---------   --------------   ---------------   ----------   
203.0.113.2            198.51.100.10      gre 1       00:00:51    00,00:04:41      dynamic2
    BGP state:                 LCP          
203.0.113.3       Established
    Type:  198.51.100.14      gre 1       00:00:48    00,00:04:44      dynamic      Static neighbor
    NeighborLCP address:         
203.0.113.130          203198.051.113100.2
10    Neighbor AS: gre 2       00:00:51    00,00:04:41      dynamic     3000
    Neighbor ID: LCP          
203.0.113.131             8.8.8.8
198.51.100.14    Neighbor caps: gre 2       00:00:48    00,00:04:44      dynamic   refresh enhanced-refresh restart-aware AS4
    Session: LCP
Блок кода
SPOKE-1# show ip nhrp peers 
 Flags: E - unique, R - nhs, U - used, L external- AS4lower-up
    Source address:   C - connected, G - group, Q - qos, N - nat
       203.0.113.1
    Weight:       P - protected, I - Redirect-ignored, X - undefined

Tunnel address         NBMA address       Tunnel      0
Expire    Hold timer: Created          Type              111/180
 Flags   Keepalive timer:    
                23/60
    RR client:                          No
    Address family ipv4 unicast:(h:m:s)     (d,h:m:s)  
      Send-label:                       No
      Default originate:                No
      Default information originate:    No
 
--------------------   ----------------   ---------   ---------   --------------   ---------------   ----------   
203.0.113.1            Outgoing route-map:198.51.100.2       gre 1        bgp--out
      Preference:    00,00:00:13      static            RULCP  170
       Remove private AS:
203.0.113.129          198.51.100.6       gre 2 No
      Next--hop  self:        00,00:00:13      static      No
      Next-hopRULCP unchanged:
Блок кода
SPOKE-2# show ip nhrp peers 
 Flags: E No
- unique, R - Uptime (d,h:m:s):      nhs, U - used, L - lower-up
        C - connected, G - 00,00:03:06
Блок кода
ESR-2# show bgp neighbors 
BGP neighbor is 203.0.113.2group, Q - qos, N - nat
    BGP state:   P - protected, I - Redirect-ignored, X - undefined

Tunnel address         NBMA address    Active
   Tunnel Type:     Expire      Created          Type          Static neighbor
   Flags Neighbor address:      
             203.0.113.2
    Neighbor AS:                        3000
    Connect delay:       (h:m:s)     (d,h:m:s)          2/5
    Last error:                         Socket: Network is unreachable

Таблицу маршрутов протокола BGP можно просмотреть с помощью команды:

Блок кода
ESR-1# show bgp ipv4 unicast 
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast

--------------------   ----------------   ---------   ---------   --------------   ---------------   ----------   
203.0.113.1            198.51.100.2  * - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete

gre 1       --      Network    00,00:00:16      static    Next Hop       RULCP      Metric  LocPrf
203.0.113.129      Weight Path   198.51.100.6     
*> u 0.0.0.0/0  gre 2       --    203.0.113.2       00,00:00:16   --   static   100         0RULCP      3000 ?
Примечание
В случае выхода из строя Active устройства, BGP будет полностью переустанавливаться со Standby устройством.